Audit assurance, authentication, and authorization form the basis of a security infrastructure for a network. These functions in combination can be used to provide answers to questions such as the identity of a network user, the user's authorization to use certain network resources, and the actions performed by the user. These functions have specific importance when determining when a network system has been “hacked”.
Often times, the security infrastructure is formed from components that have their own realm of authentication, authorization and audit. These components may operate on different layers, have different manufacturers, and use different platforms. Thus, trying to coordinate the use of a security infrastructure is often a complex and ad-hoc procedure. Often, breaches in security are not even detected because the security infrastructure of a network is too difficult to coordinate. As a result, only obvious security breaches, such as the defacing of a web-page, are detected by security administrators of a network. However, it is much more difficult to detect the breaches in the internal systems, the applications, and the databases, which typically form the backbone of an administered system.
Maintaining audit records can be particularly complex because individual components maintain their own style and format of generating, consolidating, analyzing and managing the audit records. The analysis of consolidated audit records from multiple systems is critical to determining when security breaches occur, as well as for understanding the overall security of the network. Currently, security administrators have two ways to manage audit records. First, they may login into multiple software components and learn the specific audit tool of that component. Second, they may collect audit record data from multiple end points, convert the data to some canonical form, and then analyze it.
Past attempts to centralize audit management have met with mixed results. Systems such as ETRUST, manufactured by COMPUTER ASSOCIATES INTERNATIONAL INC., aggregate audit records, but do so by periodically pulling audit records from applications. The periodic pulling of audit records often does not occur until many hours after the breach has occurred. Even when a breach is in process, the audit records are pulled at discrete intervals, making in-progress detection of the breach difficult. Furthermore, because the audit records come from different applications, they typically have distinct formats. Thus, very little analysis can be performed on the audit records once they are aggregated.